First of all, my apologies about my English level. It's Yoda level and it's a Jedi tradition.
Just forgive me. I'm Fatih Özavcin. I'm a penetration tester for 13 years. My special
expertise on voice over IP servers, voice over IP infrastructure, mobile applications,
also other ones. I'm author of Viproy voice over IP penetration testing kit. Also, I published
a small paper about SIP trust relationships hacking. Also, I demonstrated Viproy voice
over IP penetration testing kit yesterday in Black Hat Arsenal. Anyone from Black Hat
Arsenal here? Okay. We should wrap up here.
About this Viproy part. Viproy is a penetration testing kit and I will discuss a few advanced
attacks and Viproy has a few models to demonstrate or exploit these attacks and this is a small
Viproy demonstration. Viproy has a few models, time models right now, but I'm working on
on three modules. It's a Metasploit modules pack. You can download and extract in Metasploit root
directory. So you can use it to discover SIP infrastructure, voice over API infrastructure.
You can collect information from SIP servers. Also you can get a few important things from SIP
servers. Also you can enumerate target servers. Here is the vProy in action. It has debug
support. Also it has a verbose support. That means you can easily collect information from
this debug data. Discovery can be used for collecting information. So we can use all
now.
of ZIP infrastructure and protocol methods in this collecting part and discovery part.
So, Wiproy has register options, invite, subscribe and a few methods to discover features of ZIP server.
It's basically a ZIP client but a smart one.
You can easily develop another model for your custom test or something else.
It has a ZIP library, actually metasploit-rex library.
That's a register test.
We can register an infrastructure or we can register a client or we can register a user using Wiproy to a ZIP server.
Also, we can initiate calls.
With a user or without a user.
Over a ZIP proxy or not.
Also, we have a few headers in a ZIP request.
So, we can manipulate this request and its headers to bypass billing, to bypass restrictions of ZIP ACS or ZIP firewalls.
This is a basic demonstration, basic features of Wiproy.
I will talk about these basic features now.
But I will discuss a few advanced attacks in this session.
Also, I have another demo at last of this presentation for these advanced attacks.
It's really hard to get picked to speak at DEF CON.
Let's give him a big round of applause.
So, this is his first time speaking.
So, we need him to do a shot on stage.
Okay.
Cheers.
Cheers.
It's def a surprise.
Do you need another one?
No, not now.
Maybe later.
All right.
Thanks a lot.
Thank you, guys.
I have no reason I'm fine right now.
So, okay.
Thank you.
We should pass this part, this action or ‑‑ okay, we have a few people are coming.
We can start actual presentation.
You can watch this video, what I just played.
It's already in YouTube.
Also I played this video in many security conferences to show Wipro's basic features
and basic attack abilities.
So I will discuss these attacks and how can we use these attacks to bypass security features
of SIP servers.
And this is my agenda today.
Discovery footprinting, collecting information, initiating a call, initiating a bypass for
CDR or billing or restrictions or something else.
Also we have another attack, SIP bounce attack.
I will explain it.
Also, fake services and MITM.
Yeah, we have another model for SIP proxy for MITM thing.
Also SIP servers should be available 7.24.
So we can attack them using those features or something else.
Also we have another feature, hacking SIP trust relationships because they trust each
other.
So we can act like just one.
Okay.
So we can use these SIP features or SIP trust hacking features to attack another client,
a specific mobile client and other desktop client.
Also fuzzing in advance, another subject for us.
I will discuss a few fuzzing features.
Out of scope is actually RTP.
I will add RTP features later.
Also additional services are not separate.
subject. Also XML or JSON-based supporting services is not required for this presentation.
SIP is Session Initiation Protocol. It's just a sign-in protocol for NGN services or SIP-based
telephony services. Next generation network is postmodern TDM devices. Actually, sorry,
HP blade-like systems. They have three or maybe more soft switches, RTP proxies, C proxies
or something else. So they should connect MSAN or devices. I will show an infrastructure
for this sample. So SIP and Megago protocol, also RTP, they are part of this NGN infrastructure.
Also SIP should be implemented securely.
So we will hack this SIP protocol and we will hack this NGN infrastructure. They use next
generation network term, but I believe it's not because SIP is old protocol. SIP has many
security weaknesses and we will discuss in this presentation these weaknesses.
This is sample SIP server in your network. If you have a network, commercial network,
it should be placed just like this. If you have a network, commercial network, it should
be placed just like that. By the way, commercial services are completely different. This is
sample of next generation network infrastructure. SIP server, also known as soft switch, part
of this infrastructure. SDP servers, also other servers, such as VAS or DBI or CDR,
these servers should be connected with SIP. So we are going to implement this SIP-based
soft-switches. Also, mSAN devices and Media Gateway devices should be implemented for
endpoint termination. For connection between mSAN, Media Gateway
devices and soft-switches, the protocol is Megalco. Other connections, especially redirecting
calls between soft-switches, it should be SIP, S-I-P. Also, you should know you use many
soft-phone applications in your mobile phones. That means you already have SIP services and
you are a customer of a SIP provider. But, here's the thing.
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they think they are secure. But it's not. Especially their infrastructure is vulnerable.
This infrastructure is not closed. But they think it's closed. Actually, it's open physical
access. Also, you can easily manipulate endpoint terminators such as devices, smart modems
or something else. Also, they think abusing voice over IP requires specific knowledge.
That's no longer the case with vProy. Because we have many features to easily test this
SIP server's features and security. Also, they focused on toll-based attacks, toll fraud
or something else. But we have many attacks. Spying, phishing,
surveillance or DDoS attacks or attacking actual mobile clients or desktop clients.
Also, value-added services are another important vulnerable service. Also, they think they
are vulnerable devices, well configured and securely. They are vulnerable. They use all
softwares. They use actual legacy softwares. Solaris 5 or Linux 5. They are using the
Slackware 2.1 or something else. So we can easily bypass and exploit them.
But that is not our real subject. We will discuss a specific one, SIP protocol.
vProy is a Vulcan-ish word. That means call. vProy has many models to test SIP server security.
So we can actually initiate a few advanced attacks and attacks.
We have mostly all basic attacks for these target SIP servers using vProy's models.
Also it has custom header support. It has authentication support. But in many ways.
Just proxy authentication, server authentication, for different hashing algorithms and a few
ones. Also, I have a few new models, such as trust analyzer, short-circuit analysis,
private message service tester or bounce scan model, DDoS initializer, or directly MITM
proxy tool. You can use this tool to test attacks, which we will discuss now.
Basic attacks are important. They are not new. But we have no sufficient tools to analyze
these types of attacks. Sandra Gautier left SIPvicious. She left it. She left it after
Also, ship, shock, and other tools not sufficient for penetration testing of SIP servers.
We should create another one.
I should create another one because I need it.
So I create Viproy to analyze security of SIP servers, especially their features, discovering
SIP servers, enumerating SIP servers, collecting remote users' internal numbers or clients,
brute force attacks for internal numbers, users with a password list or not, also identifying
specific numbers, identifying value added services or something else.
If you use this test after authentication, you have no choice except Viproy.
By the way, brute forcing or invites features, they are required to test.
Special features of SIP security.
Also we can initiate direct invite attacks.
We can initiate invite spoofing attacks or we can initiate proxy redirected invoice attacks.
So we can easily bypass CDR records or ACS or maybe invoice things.
Viproy easily automates this type of attacks.
This is basic discovery thing.
This discovery step is basic, just like other penetration testing types.
We should send a request and we will wait for response to analyze.
So we can send options, register, invite, subscribe, message, or all methods.
So we have all in Viproy.
Another one is we should analyze headers.
We should analyze headers.
In response, so left side, generic headers, and the right side, proxy headers and warnings.
We can collect many information from these headers.
M-sign devices, invoice information, remote service software, or it's vulnerable or not.
Registrar is another important test because many value added services has no authentication.
So we can do this.
Another thing is these specific services or specific trunks or specific gateways has
no authentication to heat up or to speed up the connection.
So we can initiate register attack to detect this no authentication services.
Also we can register our specific port and IP address to initiate row attacks, such as
row fuzzing.
We will discuss in fuzzing section.
But you should know, SIP servers have many authentication skills.
So if it has an authentication, just like that, it waits your registration and it sends
a privileged ACL or it accepts your specific IP address and port for other requests without
authentication.
If this type of authentication is available, you can register your specific port and IP
address to initiate other attacks, such as direct invite, spoofing, or fuzzing things.
By the way, register attack could be used for brute force or something else.
We have many more attack type.
Also we can bypass many things.
Using proxy headers or a few specific features.
So we can bypass many things.
Or a few specific features.
Such as changing from field, changing contact field, adding specific proxy headers, such
as charging vector or changing identity over proxy headers, such as P asserted identity,
calling party ID, or P preferred identity.
These headers could be used to bypass billing or security SIP specific firewalls, acting
just like another SIP proxy.
We can use these attacks.
Also we have another attack, just really invite or update.
We can send re-invite request or update request during a call to change its charging vector,
change its billing features.
So we can use these features.
Also you can develop specific tool or specific model for vPro.
Invite request issues just like that, we will send an invite and we will get a specific
response.
We can change many headers.
So we can easily bypass rules.
Protected or not.
Specific headers I've already mentioned.
Also it's just basic usage.
But we will use invite for specific tests.
For another test.
Just trust analyzer or something else.
This is SIP bounce attack.
It's similar to FTP bounce attack.
If remote target has a proxy support, we can use it to scan other servers which is
trusted or not.
So we can use it basically.
These are screenshots.
So this tool exposes user agent or servers of remote servers and untrusted ones.
It works just like that.
We will send a register or option or invite request to target remote server.
Also we will change its real or URI.
To connect another one.
So we can collect this information.
It's important for us because remote servers and front-end servers are well protected.
And these servers have many call ACLs.
So we can use these remote targets if it has a proxy support.
Scan other specific features and other inaccessible servers.
Also we can initiate other attacks.
Just trust relationships.
Also just now I should mention another thing.
I have a friend for you.
I will mention after the ‑‑ sorry.
I should mention after the video.
But I already shot, you know.
So this is my friend.
It's a gift for best question.
It's five‑year‑old special Turkish record.
I'm from Turkey, as you know.
So if you shot me a good question.
You will have this bottle.
If we...
We will have...
If we will no time to create QA section, you will find me at chili bar.
Chili out bar or QA section, or just push me or attack me to ask question.
So we will continue again.
Fake dort is another subject.
We should...
discuss about fuzzing features or specific MITM attacks. Because our regular SIP clients,
generic SIP clients, has no features to bypass billing or security features. Also, it has
no support to invite spoofing. So we will add MITM tool. We can change our clients'
features. For example, adding invite support, invite spoofing support, specific proxy header
support to bypass billing. Also, we can use this feature to fuzz SIP clients or servers.
We can easily change specific data with fuzzing requests. So we will have a few crashes from
SIP clients or servers. Fake servers, fake services is not a good
idea. MITM is not yet ready. By the way, MITM is ready. I updated Wipro's GitHub repository.
So you can easily download it and you can use it. This MITM feature is useful for testing
or adding specific features. You can use it freely. But I should mention, if you use
it to collect information, collect credentials from clients, such as MITM, you can use it
for MITM attacks or something else. You should use ARP scan or ARP spoof or VLAN hopping attacks.
You should be a man in the middle to collect this information.
Also, DOS is another important thing when we will discuss about SIP servers. It's not
server. It's a business. So money is really important for them. So we can attack their
availability.
SIP server.
We can lock all users if they have account locking policy. Also, we can initiate many
calls at the same time. So we can overflow call limits of server. Or we can ring all
clients at the same time. It's possible. So we can use those things easily. By the
way, we can use these attacks to bypass a few features. For example, if you use the
act, if you need to act just like a SIP proxy, you should disable it. So you can use these
tools to disable or unresponsive this remote SIP server. By the way, we have another attack.
SIP servers send many responses. It's an RFC. So we can initiate a bogus request. For example,
unauthenticated invites or something else. They will send us many responses. 10 plus,
20 plus, maybe more. So we can send IP spoofed requests to target SIP servers. So this remote
SIP server will send responses to another DDoS target. Just like that. So we can search
many servers, many SIP servers. And we can collect all of them to initiate a DDoS attack.
You should remember, all SIP servers, all SIP services should contain many SIP servers
for gateway connection.
connection, for international connection, for redirection or backup. So we can use all
of them in the same network. And acting, another one, we cannot access.
Also trust relationship hacking is another subject. We can act just like SIP proxy. So
we can act and we can initiate call, we can send messages, or we can attack mobile clients
via the SIP relationships. Engine servers should trust each
other. Because TCP is slow and TLS or other encryptions are slow, by the way, they require
many CPU usage. So engine infrastructure vendors prefer UDP-based SIP authentication and UDP-based
trust. So we can attack just like SIP proxy or something
else.
We need specific information for this attack. We should have an internal number. Basically,
we should be a customer of this service. Because we should have a software or hardware client
to view caller ID. We will spread IP spoofed and port spoofed packets to this target server.
And if this server trusts other IPs, there will be a call and we will learn its basic
IP address and port. In baby steps, we should find trusted SIP networks, mostly B-class,
and the IP address and port. And we should find an IP address, and the IP address and
We should send requests, invite requests for each IP and port.
That means 60,000, maybe more requests.
If this server, target server, accepts one of them, we will have a call.
But we will have no idea about which one is trusted.
Here is the thing.
We have invite spoofing section.
So I will add IP and port section in from field.
That means when we will have a call, we should see which IP and port is trusted in from field
and calling number.
Okay.
Here is the schema and demo.
There's an attacker.
Attacker have no idea about Ankara's or Istanbul's IP addresses and networks.
He should know only B-class network, maybe C-class network.
He should have a soft client from Izmir server, this production server.
He will spread, he will initiate IP spoofed packets from this field.
Just like sending from Istanbul or Ankara.
And when we have a call.
We will see IP address and port.
That means Izmir trusts Istanbul's IP address and port.
Okay.
How can we use it?
It's trusted.
But we can initiate a call.
If we have a specific IP address and port, we can send specific IP address and port.
And we can send specific from field.
And we can initiate a call.
So, it's an invite spoofing also.
It's CDR and building bypass.
By the way, probably you should ask or you will ask, it's just one package and we used
IP spoofing and we have no responses.
And how the call works?
How will it receive?
It's not.
All required is IP address and port.
we have a packet to send another one. For example, internal number 101. One packet is
sufficient for main attacks. I will show you. By the way, in message protocol, a message
method has no resume or no state. So you can send this message, short message or something
else, to remove server, just like came from Istanbul or something else, which is trusted.
That means you can exploit specific voice over IP features, voice mailbox features,
value added services, just like send a register request for us with short message service.
Invoice me at this month. We can spoof this message. So we can change.
We like it. We like it. We like it. We like it. We like it. We like it. We like it. We like it.
We like it. We like it. We like it. We like it. Or we can acting a few features. I'm
not here redirect me for something else. Okay. Just send us a message which one is required
or where you will be available. Okay. Redirect space my internal number. That's a small
message. We can send it. So we can handle all calls. It's possible.
By the way, we can use it to initiate those attacks.
attacks. For example, ringing all clients, bypassing a few features, initiating many
calls to overloading servers or vast services, or CDR fields. By the way, we can attack specific
mobile clients or desktop clients. When we send this invite request or message
request, we have a few features. From, from name, contact fields will be the same. We
can send this request to the remote server and the remote server will redirect these
fields to the client. So we can fuzz it or we can crash it with many AAs in from field
or from name field or contact fields.
Also, we have message support. So we can exploit this vulnerability over message, too. Also,
maybe, you know, SIP and STP has many features. So this type of STP request or STP content
should be redirected. Also, MIME time support should be available. And you can manipulate
MIME types or its content.
Of this request to crash mobile application. This clients trusts remote IP address and
port, so we can initiate IP spoofing easily. And basically, I crushed an application.
Other iPhone SIP client, you can download it from App Store. Has a vulnerability. It
has a no...??
border control in from field. So we can send 550 charts in this field and it will crash.
It will be crashed. So we can exploit it. Okay. We should summarize and collect it.
We can send a packet from Istanbul, we have no idea, and we cannot access this Istanbul,
to Izmir, the production server. We have its IP address, yes. But it will redirect this
call to another one, something else. We have no idea its IP address. But it has an internal
number, just your cell number or something else. So there is no user interaction. The
application will crash. There is a client attack. So many applications
can be vulnerable. So we can use this. We can use this. We can use this. We can use
this to crash specific application. We can never modify. Those customers have this file
vulnerable to this type of attacks. After this we'll.
Asterisk has a limit. Only 1,000 charts, maybe more. By the way, or other commercial
products, there's no restriction for this from field. So we can use this from field,
from name field, contact field or other marble types to crash this specific application.
Also.
Also, we have fuzzing. Anybody love fuzz. But fuzzing is completely different in SIP
protocol. You have many fuzzers. But these fuzzers are old. And it's really important
because vendors use these old tools to evolve their products. So you have no vulnerabilities
to find using these tools. You should change your perspective on vision. We can fuzz it
in many ways acting just like SIP server, SIP client, attack, or just acting
like a proxy or something else. But old school fuzzing is not sufficient. Request-based
and response-based fuzzing. Difference.
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has a few differences. Request-based fuzzing is popular and we have many tools for request
fuzzing. But they have no state feature. They cannot track all call and they cannot fuzz
us during a call. Our newest SIP fuzzing tool published in DEF CON 2007. So we have no new
tool almost six years. We can develop our specific fuzzing tool. Especially for response-based
fuzzing. So we can use these features in Wipro's specific SIP library. We can initiate
specific fuzzing features. How about smart fuzzing? Smart fuzzing should be really smart.
It should have state support. It should have many methods such as subscribe, hack, frag,
or invite, re-invite, update. We have no support in meta tools. Also, fuzzing after the indication
is a completely different thing.
Because we have no tools to fuzz remote servers after authentication or with authentication.
So we have another thing. Yes, fuzzing is cool. Especially crashing an application.
But in SIP servers, we should fuzz specific numbers for value added services. Detecting
its features, detecting free call features.
or detecting a few specific things. So you can easily create your basic fuzzer.
Okay. Viproy. How it helps you? It is a basic zip library. A few models have a dump fuzzing
support. I will show you. Also, we have custom header support. So we can easily bypass many
things before fuzzing. Also, less code. Only 20 lines, maybe more. We can easily develop
our tools. Also, it has raw request support. So you can combine it with your generic fuzzer.
It's really free. Fuzzing SIP services request-based. Okay. You already knew this request-based
fuzzing and I will bypass it.
But you should know.
Headers should be fuzz. Proxy headers or something else. Okay. Here's the thing. Response-based
fuzzing is not popular. Also, there is no tool to fuzz response features of SIP server.
Just imagine you have two clients. One for acting just like remote SIP client. Just one
for attacking and fuzzing remote SIP client.
If you have multiple clients and you think that you will be able to use the service during
this call, you can initiate two clients separately. And you can drive separately, all of them.
Also you can initiate many using this library. Starting one and starting two. After that,
you will initiate a call from starting two and target is one. Also, you can add ramps for
invite fuzzing feature during this call. You can add STP fuzzing feature during this call.
Also this response is important because when you send a request to a server, server redirects
the request to another client. If this client sends bogus responses, this remote server
should assess and analyze and execute this response. 200 okay, such as. So we can send
bogus responses. So it's a specific feature. You can develop your tools using vProi. vProi
has many features. So we have a few things to develop, such as advanced fuzzing support,
RTP support, TCP TLS support, or many more.
By the way, it's a
. . . . . . . . . . . . . . . . . .
MSF licensed, so you can download it freely. You can change it. You can develop your tools
with this library. That's it. I will show another demo.
This demo prepared to show SIP bounce attack, hacking SIP trust relationships, detecting
trusted servers, initiating a fake call, after that, crashing a mobile client.
This is an example, I have a network, actually a small network, 3 SIP servers and 4 SIP clients.
We can initiate this SIP bounce attack to detect servers and clients, trusted or not.
We can use remote SIP proxy server.
We will have 2 SIP servers now.
One is ours, another one is inaccessible for us.
Also, we have another range, 200 and 210.
I will set this range to detect remote SIP servers and clients during test.
As you see, there are many SIP servers.
One of them SIP server, other SIP clients.
SIP trust hacking is basic and old method, but we can use it easily for NGM platforms, especially in local network.
So, we can easily bring SIP trust to local network.
We can break physical network with smart modems hacking or physical hacking, breaking locks or something else.
And we can initiate this attack.
Also, public SIP services also vulnerable this type of attacks.
SIP services, trust hacking should be prepared with app specific target range.
And I set SIP server, the remote server.
Source remote host is potential network.
Also, I can set app port range.
Because they can use any ports for trust or something else.
Also, we should set interface for IP spoofing and role request.
And internal number 103.
And we will initiate this attack.
If we have a number, we have a IP or something else.
We will learn which host is trust.
As you see, 202 and its port 5060 is trusted.
It's a pair.
It's a port for restriction and ACR.
So, I can set specifically this one.
And I will initiate the call.
This is thrusted host and I set front field for inverse spoofing.
I can write anything. I write Ukupay Gezi. If you already knew Gezi Park Resistance in Turkey.
It's a tribute. By the way if you don't know you can search this tag in twitter.
As you see we have a call.
Also we can crash mobile application. This mobile application is Adore
in iPhone. You can download it from App Store. I download it and I initiate a secure shell session
left side and I start a debugger and I crash it with right terminal. I set only set action
to call. I set front field to fuzz features, for example set from fuzz 550. Also I will set to field
That means our destination, our internal number, remote.
So, I initiated debugger.
You can watch this video from YouTube too.
It's available from Vpro Voidkit's homepage.
As you see, it's really easy to use because it's a Metasploit module set.
Left side, as you see, 138 is iPhone's IP address, but I have no idea and I didn't set it in my tool.
I initiated, you know, debugger to debug Adiraphone application.
It's PID.
And journey debugger will be initiated for this PID.
It's continuing.
When I start the attack, you should watch and you should see, left side, a kernel inbuilt address issue.
We have a memory corruption vulnerability.
And it's error.
It's a basic DOS attack.
By the way, it can be exploited.
You feel free to develop and exploit for this vulnerability using this tool.
So, you can download this presentation from my homepage, also Vpro's homepage.
You can download this tool from Vpro's homepage.
Also, it's GitHub source code section.
By the way, you have a 15 minute training video.
You can use it.
Also, these papers.
Yeah, these people help me to present.
Also, they encourage me.
I have many respect for them.
Yes, I have only one minute.
So, I will be chilling out.
Cafe.
I have this one for you. If you will came to ask specific question or smart question,
I will give you. Okay? Thank you.
